Appl. No.: 10/720,329 

Amdt. Dated October 15, 2008 

Response to Office Action of June 11, 2008 

Amendments to the Claims : 

This following listing of claims will replace all prior versions and listings of claims in the 
application. 

1. (currently amended) A method facilitating classification of data flows, comprising 

monitoring a data flow associated with a host relative to at least one behavioral attribute; 

comparing the at least one behavioral attribute observed in the monitoring step to a 
knowledge base of at least one known application behavior pattern , wherein the at least one 
known application behavior pattern corresponds to a network application classification and 
comprises one or more behavioral attribute parameter values ; and 

classifying the data flow into a network application classification b ased on the comparing 

step. 

2. (original) The method of claim 1 wherein the at least one behavioral attribute is packet size. 

3. (original) The method of claim 1 wherein the at least one behavioral attribute is packet size of 
the first packet in the data flow. 

4. (original) The method of claim 1 wherein the at least one behavioral attribute is packet size of 
the second packet in the data flow. 

5. (original) The method of claim 1 wherein the at least one behavioral attribute is packet size of 
plurality of packets in the data flow. 

6. (currently amended) The method of claim 1 wherein the at least one behavioral attribute is the 
information density associated with at least one packet in the data flo w, wherein the information 
density corresponds to a level of randomness of data of the at least one packet . 
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7. (currently amended) The method of claim 1 wherein the at least one behavioral attribute is the 
information density associated with the first packet in the data flo w, wherein the information 
density corresponds to a level of randomness of data of the at least one packet . 

8. (original) The method of claim 1 wherein the at least one behavioral attribute is the timing of 
the data flow relative to at least one similar data flow associated with the host. 

9. (original) The method of claim 1 wherein the at least one behavioral attribute is the number of 
related data flows associated with the host. 

10. (original) The method of claim 1 wherein the at least one behavioral attribute is the timing 
between at least two packets in the data flow. 

11. (original) The method of claim 1 wherein the at least one behavioral attribute is a sequence of 
protocol flags contained in packets of the data flow. 

12. (original) The method of claim 1 wherein the at least one behavioral attribute is timing of 
protocol flags contained in packets of the data flow. 

13. (original) The method of claim 1 wherein the at least one behavioral attribute is the timing 
and sequence protocol flags contained in packets of the data flow 

14. (original) The method of claim 1 wherein the application behavior pattern comprises at least 
one instance of any one of the following: a packet size pattern, a threshold information density 
value, a threshold inter-flow timing value, or a threshold number of related application data flows. 

15. (original) The method of claim 1 wherein the application behavior pattern characterizes the 
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first group of packets of a data flow associated with a traffic class. 

16. (original) The method of claim 14 wherein the application behavior pattern characterizes the 
first group of packets of a data flow associated with a traffic class, and wherein the first group of 
packets are characterized in relation to at least one instance of any one of the following: a packet 
size pattern, a threshold information density value, a threshold inter-flow timing value, or a 
threshold number of related application data flows. 

17. (currently amended) A method facilitating classification of data flows, comprising 

modeling behavior of a network application to generate an application behavior pattern 
corresponding to the network application ; and 

configuring a network traffic monitoring device to monitor data flows relative to at least 
one behavioral attribute and c lassify the data flows into a traffic class of a plurality of traffic 
classes by comparing one or more of the data flows against the application behavior pattern; 
wherein the application behavior pattern comprises at least one instance of any one of the 
following: a packet size pattern, a threshold information density value, a threshold inter-flow 
timing value, or a threshold number of related application data flows. 

18. (original) The method of claim 17 wherein the application behavior pattern comprises at least 
one instance of any one of the following: a packet size pattern, a threshold information density 
value, a threshold inter-flow timing value, or a threshold number of related application data flows, 
an inter-packet timing value, a sequence of protocol flags, an inter-packet protocol flag timing 
value. 

19. (previously amended) The method of claim 18 wherein the protocol flags are Transport 
Control Protocol (TCP) protocol flags. 

20. (currently amended) A method facilitating classification of data flows, comprising 
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monitoring the data flows associated with a host relative to at least one application 
behavior model corresponding to a traffic class; 

matching at least one of the data flows associated with the host to a traffic class, if a 
threshold number of the data flows match a corresponding application behavior mode l; wherein 
the application behavior model comprises at least one instance of any one of the following: a 
packet size pattern, a threshold information density value, a threshold inter-flow timing value, or 
a threshold number of related application data flows, an inter-packet timing value, a sequence of 
protocol flags, an inter-packet protocol flag timing value . 

21. (previously amended) An apparatus comprising 
a packet processor operative to 

detect data flows in network traffic traversing a communications path, the data 
flows each comprising at least one packet; 

parse at least one packet associated with a data flow into a flow specification, 
a traffic classification engine operative to 

match the data flow to a plurality of traffic classes, wherein at least one of the 
plurality of traffic classes is defined by one or more matching attributes, wherein said matching 
attributes are explicitly presented in the packets associated with the data flows, and wherein at 
least one other of the traffic classes is defined by one or more application behavior patterns, 
wherein the application behavior patterns each comprise at least one instance of any one of the 
following: a packet size pattern, a threshold information density value, a threshold inter-flow 
timing value, or a threshold number of related application data flows, an inter-packet timing 
value, a sequence of protocol flags, or an inter-packet protocol flag timing value; 

having found a matching traffic class in the matching step, associate the flow 
specification corresponding to the data flow with a traffic class from the plurality of traffic 
classes. 



22. (canceled) 
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23. (previously amended) The apparatus of claim 21 wherein said flow specification contains at 
least one instance of any one of the following: a protocol family designation, a direction of packet 
flow designation, a protocol type designation, a pair of hosts, a pair of ports, a pointer to a 
multipurpose internet mail extensions (MIME) type, and a pointer to an application-specific 
attribute. 

24. (previously amended) The apparatus of claim 21 wherein said flow specification contains, 
and wherein the one or more matching attributes include, at least one instance of any one of the 
following: a protocol family designation, a direction of packet flow designation, a protocol type 
designation, a pair of hosts, a pair of ports, a pointer to a multipurpose internet mail extensions 
(MIME) type, and a pointer to an application-specific attribute. 

25. (original) The apparatus of claim 21 further comprising 

a flow control module operative to apply bandwidth utilization controls to the data flows 
based on the traffic class associated with the data flows. 

26. (original) A method facilitating classification of data flows, comprising 

detecting a data flow in network traffic traversing a communications path, the data flows 
each comprising at least one packet; 

parsing explicit attributes at least one packet associated with the data flow into a flow 
specification, 

matching the flow specification to a first plurality of traffic classes, wherein the first 
plurality of traffic classes are each defined by one or more matching attributes, 

having found a matching traffic class in the matching step, associating the flow 
specification corresponding to the data flow with a traffic class from the first plurality of traffic 
classes, 

not having found a matching traffic class in the first plurality of traffic classes, matching 
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the data flow to at least one additional traffic class, the additional traffic class defined by an 
application behavior pattern, the application behavior pattern comprising comprises at least one 
instance of: a packet size pattern, a threshold information density value, a threshold inter-flow 
timing value, or a threshold number of related application data flows. 

27. (previously amended) The method of claim 26 wherein the flow specification contains at 
least one instance of any one of the following: a protocol family designation, a direction of packet 
flow designation, a protocol type designation, a pair of hosts, a pair of ports, a pointer to a 
multipurpose internet mail extensions (MIME) type, and a pointer to an application-specific 
attribute. 

28. (previously amended) The method of claim 26 wherein said flow specification contains, and 
wherein the one or more matching attributes include, at least one instance of any one of the 
following: a protocol family designation, a direction of packet flow designation, a protocol type 
designation, a pair of hosts, a pair of ports, a pointer to a multipurpose internet mail extensions 
(MIME) type, and a pointer to an application-specific attribute. 

29. (currently amended) A method facilitating the classification of network traffic, comprising 

detecting a data flow in network traffic traversing a communications path, the data flow 
comprising at least one packet; 

classifying the data flow into a network application of a plurality of network applications 

by 

applying a mathematical function to at least one packet in the data flow to derive 

a computed value that characterizes entropy of information contained in the at least one packet i 
wherein the entropy information corresponds to a level of randomness of data of the at least one 
packet ; and 

comparing the computed value to at least one traffic class corresponding to the 

network application , said traffic class defined, at least in part, by a required computed entropy 
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value. 

30. (original) The method of claim 29 wherein the required computed value is determined by 
applying the mathematical function to data flows known to be of the traffic class. 

31. (original) The method of claim 29 wherein the mathematical function computes a value 
indicating the information density of at least one packet. 

32. (original) The method of claim 29 wherein the required computed value is a range of values. 

33. (previously amended) A method facilitating the classification of network traffic, comprising 

detecting a data flow in network traffic traversing a communications path, the data flow 
comprising at least one packet containing a first checksum; 

applying a mathematical function to at least one packet in the data flow to derive a 
second checksum; 

comparing the computed second checksum to the first checksum contained in the at 
least one packet; 

matching the data flow to a traffic class, wherein the traffic class is defined at least in part 
by whether the computed second checksum should match the first checksum in the at least one 
packet. 
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